Last Modified: Jul 12, 2023
Known Affected Versions:
13.0.1, 13.0.0, 184.108.40.206, 220.127.116.11, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2, 11.6.1, 11.6.0
Opened: May 23, 2018 Severity: 3-Major
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, the original ephemeral member is not removed from the pool, and an ephemeral pool member is not added to the pool for the new IP address.
Traffic for the affected pool is not sent to the correct pool member (new ephemeral address), and is instead sent to incorrect pool member (old ephemeral address).
This may occur when: 1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name. 2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes. 3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members. 4. The DNS server resolves the FQDN name to an IP address that matches one of the static nodes. 5. A subsequent DNS query resolves the FQDN name to a different IP address that matches a different static node. Note: This symptom can occur only if the statically-configured node is created prior to creating an ephemeral pool member for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
This issue can be prevented by either of these methods: -- Avoid configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN. -- Add a statically-configured pool member to the pool in addition to the FQDN template member. Once this symptom occurs, You can recover by performing one of the following actions: -- Delete the statically-configured node with the conflicting IP address. -- Delete the FQDN pool member from the pool, then re-adding the FQDN pool member to the pool. -- Delete and recreating the pool.